第十四章 : Spring Boot 整合spring-session,使用redis共享

第十四章 : Spring Boot 整合spring-session,使用redis共享

前沿

本文重点讲述:spring boot工程中使用spring-session机制进行安全认证,并且通过redis存储session,满足集群部署、分布式系统的session共享。

基于SPringBoot 2.3.2.RELEASE

背景

在传统单机web应用中,一般使用tomcat/jetty等web容器时,用户的session都是由容器管理。浏览器使用cookie中记录sessionId,容器根据sessionId判断用户是否存在会话session。这里的限制是,session存储在web容器中,被单台服务器容器管理。

但是网站主键演变,分布式应用和集群是趋势(提高性能)。此时用户的请求可能被负载分发至不同的服务器,此时传统的web容器管理用户会话session的方式即行不通。除非集群或者分布式web应用能够共享session,尽管tomcat等支持这样做。但是这样存在以下两点问题:

1、需要侵入web容器,提高问题的复杂
2、web容器之间共享session,集群机器之间势必要交互耦合

基于这些,必须提供新的可靠的集群分布式/集群session的解决方案,突破traditional-session单机限制(即web容器session方式,下面简称traditional-session),spring-session应用而生。

traditional-session和spring-session的区别

第十四章 : Spring Boot 整合spring-session,使用redis共享_第1张图片

springboot-session 集成redis示例
  1. 添加依赖:在pom.xml文件中添加Spring Session Redis的依赖。
<dependency>  
    <groupId>org.springframework.sessiongroupId>  
    <artifactId>spring-session-data-redisartifactId>  
dependency>
<dependency>
            <groupId>io.lettucegroupId>
            <artifactId>lettuce-coreartifactId>
dependency>
        
<dependency>
            <groupId>org.apache.commonsgroupId>
            <artifactId>commons-pool2artifactId>
dependency>
  1. 配置Redis:在application.yaml文件中添加Redis的配置信息,包括Redis的地址、端口号、密码等。
server:
  port: 8080
  servlet:
    context-path: /
    # session超时时间 默认30分钟
    session:
      timeout: 30m
spring:
  session:
    store-type: redis
    redis:
      # 会话刷新模式
      flush-mode: immediate
      # 用于存储会话的键的命名空间
      namespace: "spring:session"
  redis:
    host: 192.168.92.105
    port: 6379
    password: foobared
    # 连接超时时间(记得添加单位,Duration)
    timeout: 10000ms
    # Redis默认情况下有16个分片,这里配置具体使用的分片
    # database: 0
    lettuce:
      pool:
        # 连接池最大连接数(使用负值表示没有限制) 默认 8
        max-active: 8
        # 连接池最大阻塞等待时间(使用负值表示没有限制) 默认 -1
        max-wait: -1ms
        # 连接池中的最大空闲连接 默认 8
        max-idle: 8
        # 连接池中的最小空闲连接 默认 0
        min-idle: 0
  1. 注解开启session功能:并使用@EnableRedisHttpSession注解开启session功能。同时,可以设置session的超时时间。

    import org.springframework.boot.SpringApplication;
    import org.springframework.boot.autoconfigure.SpringBootApplication;
    import org.springframework.session.data.redis.config.annotation.web.http.EnableRedisHttpSession;
    
    @SpringBootApplication
    @EnableRedisHttpSession
    public class SpringbootDay09Application {
    
        public static void main(String[] args) {
            SpringApplication.run(SpringbootDay09Application.class, args);
        }
    
    }
    
  2. 创建Controller:在需要使用session的Controller中,注入HttpSession对象,并使用它来存储session数据。

    @RestController  
    public class SessionController {  
        @Autowired  
        private HttpSession httpSession;  
        @GetMapping("/set")  
        public String set(String name, String value) {  
            httpSession.setAttribute(name, value);  
            return "set " + name + "=" + value;  
        }  
        @GetMapping("/get")  
        public String get(String name) {  
            return (String) httpSession.getAttribute(name);  
        }  
    }
    
  3. 测试:分别调用各应用接口,查看sessionId是否一致。同时,可以查看Redis缓存信息,缓存中的sessionId与接口返回信息一致。

    第十四章 : Spring Boot 整合spring-session,使用redis共享_第2张图片

    第十四章 : Spring Boot 整合spring-session,使用redis共享_第3张图片

spring-session特点与工作原理
特点

spring-session在无需绑定web容器的情况下提供对集群session的支持。并提供对以下情况的透明集成:

  1. HttpSession:容许替换web容器的HttpSession
  2. WebSocket:使用WebSocket通信时,提供Session的活跃
  3. WebSession:容许以应用中立的方式替换webflux的webSession
工作原理
spring-session分为以下核心模块:
  • SessionRepositoryFilter:Servlet规范中Filter的实现,用来切换HttpSession至Spring Session,包装

    HttpServletRequest和HttpServletResponse

  • HttpServerletRequestWrapperHttpServletResponseWrapperHttpSessionWrapper包装器:包装原有的HttpServletRequest、HttpServletResponse和Spring Session,实现切换Session和透明继承HttpSession的关键之所在

  • Session:Spring Session模块

  • SessionRepository:管理Spring Session的模块

  • HttpSessionStrategy:映射HttpRequest和HttpResponse到Session的策略

    第十四章 : Spring Boot 整合spring-session,使用redis共享_第4张图片

  1. SessionRepositoryFilter

    SessionRepositoryFilter继承OncePerRequestFilter实现Filter

protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
    // 设置SessionRepository至Request的属性中
        request.setAttribute(SESSION_REPOSITORY_ATTR, this.sessionRepository);
    // 包装原始HttpServletRequest至SessionRepositoryRequestWrapper
        SessionRepositoryFilter<S>.SessionRepositoryRequestWrapper wrappedRequest = new SessionRepositoryFilter.SessionRepositoryRequestWrapper(request, response);
    // 包装原始HttpServletResponse响应至SessionRepositoryResponseWrapper
        SessionRepositoryFilter.SessionRepositoryResponseWrapper wrappedResponse = new SessionRepositoryFilter.SessionRepositoryResponseWrapper(wrappedRequest, response);

        try {
            filterChain.doFilter(wrappedRequest, wrappedResponse);
        } finally {
              // 提交session
            wrappedRequest.commitSession();
        }

    }

2、 SessionRepository

public interface SessionRepository<S extends Session> {
    S createSession();

    void save(S var1);

    S findById(String var1);

    void deleteById(String var1);
}

创建、保存、获取、删除Session的接口行为。根据Session的不同,分为很多种Session操作仓库。

第十四章 : Spring Boot 整合spring-session,使用redis共享_第5张图片

当创建一个RedisSession,然后存储在Redis中时,RedisSession的存储细节如下:

spring:session:sessions:33fdd1b6-b496-4b33-9f7d-df96679d32fe
spring:session:sessions:expires:33fdd1b6-b496-4b33-9f7d-df96679d32fe
spring:session:expirations:1439245080000

Redis会为每个RedisSession存储三个k-v。

第一个:k-v用来存储Session的详细信息,包括Session的过期时间间隔、最近的访问时间、attributes等等。这个k的过期时间为Session的最大过期时间 + 5分钟。如果默认的最大过期时间为30分钟,则这个k的过期时间为35分钟
第二个:k-v用来表示Session在Redis中的过期,这个k-v不存储任何有用数据,只是表示Session过期而设置。这个k在Redis中的过期时间即为Session的过期时间间隔
第三个:k-v存储这个Session的id,是一个Set类型的Redis数据结构。这个k中的最后的1439245080000值是一个时间戳,根据这个Session过期时刻滚动至下一分钟而计算得出。

3、 Session

spring-session和tomcat中的Session的实现模式上有很大不同,tomcat中直接对HttpSession接口进行实现,而spring-session中则抽象出单独的Session层接口,让后再使用适配器模式将Session适配层Servlet规范中的HttpSession。spring-sesion中关于session的实现和适配整个UML类图如下:

第十四章 : Spring Boot 整合spring-session,使用redis共享_第6张图片

MapSession的代码源码片段

public final class MapSession implements Session, Serializable {
    public static final int DEFAULT_MAX_INACTIVE_INTERVAL_SECONDS = 1800;
    private String id;
    private final String originalId;
    private Map<String, Object> sessionAttrs;
    private Instant creationTime;
    private Instant lastAccessedTime;
    private Duration maxInactiveInterval;
    private static final long serialVersionUID = 7160779239673823561L;

    public MapSession() {
        this(generateId());
    }

    public MapSession(String id) {
        this.sessionAttrs = new HashMap();
        this.creationTime = Instant.now();
        this.lastAccessedTime = this.creationTime;
        this.maxInactiveInterval = Duration.ofSeconds(1800L);
        this.id = id;
        this.originalId = id;
    }

    public MapSession(Session session) {
        this.sessionAttrs = new HashMap();
        this.creationTime = Instant.now();
        this.lastAccessedTime = this.creationTime;
        this.maxInactiveInterval = Duration.ofSeconds(1800L);
        if (session == null) {
            throw new IllegalArgumentException("session cannot be null");
        } else {
            this.id = session.getId();
            this.originalId = this.id;
            this.sessionAttrs = new HashMap(session.getAttributeNames().size());
            Iterator var2 = session.getAttributeNames().iterator();

            while(var2.hasNext()) {
                String attrName = (String)var2.next();
                Object attrValue = session.getAttribute(attrName);
                if (attrValue != null) {
                    this.sessionAttrs.put(attrName, attrValue);
                }
            }

            this.lastAccessedTime = session.getLastAccessedTime();
            this.creationTime = session.getCreationTime();
            this.maxInactiveInterval = session.getMaxInactiveInterval();
        }
    }

    public void setLastAccessedTime(Instant lastAccessedTime) {
        this.lastAccessedTime = lastAccessedTime;
    }

    public Instant getCreationTime() {
        return this.creationTime;
    }

    public String getId() {
        return this.id;
    }

    public String getOriginalId() {
        return this.originalId;
    }

    public String changeSessionId() {
        String changedId = generateId();
        this.setId(changedId);
        return changedId;
    }

    public Instant getLastAccessedTime() {
        return this.lastAccessedTime;
    }

    public void setMaxInactiveInterval(Duration interval) {
        this.maxInactiveInterval = interval;
    }

    public Duration getMaxInactiveInterval() {
        return this.maxInactiveInterval;
    }

    public boolean isExpired() {
        return this.isExpired(Instant.now());
    }

    boolean isExpired(Instant now) {
        if (this.maxInactiveInterval.isNegative()) {
            return false;
        } else {
            return now.minus(this.maxInactiveInterval).compareTo(this.lastAccessedTime) >= 0;
        }
    }

    public <T> T getAttribute(String attributeName) {
        return this.sessionAttrs.get(attributeName);
    }

    public Set<String> getAttributeNames() {
        return new HashSet(this.sessionAttrs.keySet());
    }

    public void setAttribute(String attributeName, Object attributeValue) {
        if (attributeValue == null) {
            this.removeAttribute(attributeName);
        } else {
            this.sessionAttrs.put(attributeName, attributeValue);
        }

    }

    public void removeAttribute(String attributeName) {
        this.sessionAttrs.remove(attributeName);
    }

    public void setCreationTime(Instant creationTime) {
        this.creationTime = creationTime;
    }

    public void setId(String id) {
        this.id = id;
    }

    public boolean equals(Object obj) {
        return obj instanceof Session && this.id.equals(((Session)obj).getId());
    }

    public int hashCode() {
        return this.id.hashCode();
    }

    private static String generateId() {
        return UUID.randomUUID().toString();
    }
}

RedisSession的代码源码片段


    final class RedisSession implements Session {
        private final MapSession cached;
        private final Map<String, Object> delta = new HashMap();
        private boolean isNew;
        private String originalSessionId;

        RedisSession(MapSession cached, boolean isNew) {
            this.cached = cached;
            this.isNew = isNew;
            this.originalSessionId = cached.getId();
            if (this.isNew) {
                this.delta.put("creationTime", cached.getCreationTime().toEpochMilli());
                this.delta.put("maxInactiveInterval", (int)cached.getMaxInactiveInterval().getSeconds());
                this.delta.put("lastAccessedTime", cached.getLastAccessedTime().toEpochMilli());
            }

            if (this.isNew || RedisSessionRepository.this.saveMode == SaveMode.ALWAYS) {
                this.getAttributeNames().forEach((attributeName) -> {
                    this.delta.put(RedisSessionRepository.getAttributeKey(attributeName), cached.getAttribute(attributeName));
                });
            }

        }

        public String getId() {
            return this.cached.getId();
        }

        public String changeSessionId() {
            return this.cached.changeSessionId();
        }

        public <T> T getAttribute(String attributeName) {
            T attributeValue = this.cached.getAttribute(attributeName);
            if (attributeValue != null && RedisSessionRepository.this.saveMode.equals(SaveMode.ON_GET_ATTRIBUTE)) {
                this.delta.put(RedisSessionRepository.getAttributeKey(attributeName), attributeValue);
            }

            return attributeValue;
        }

        public Set<String> getAttributeNames() {
            return this.cached.getAttributeNames();
        }

        public void setAttribute(String attributeName, Object attributeValue) {
            this.cached.setAttribute(attributeName, attributeValue);
            this.delta.put(RedisSessionRepository.getAttributeKey(attributeName), attributeValue);
            this.flushIfRequired();
        }

        public void removeAttribute(String attributeName) {
            this.setAttribute(attributeName, (Object)null);
        }

        public Instant getCreationTime() {
            return this.cached.getCreationTime();
        }

        public void setLastAccessedTime(Instant lastAccessedTime) {
            this.cached.setLastAccessedTime(lastAccessedTime);
            this.delta.put("lastAccessedTime", this.getLastAccessedTime().toEpochMilli());
            this.flushIfRequired();
        }

        public Instant getLastAccessedTime() {
            return this.cached.getLastAccessedTime();
        }

        public void setMaxInactiveInterval(Duration interval) {
            this.cached.setMaxInactiveInterval(interval);
            this.delta.put("maxInactiveInterval", (int)this.getMaxInactiveInterval().getSeconds());
            this.flushIfRequired();
        }

        public Duration getMaxInactiveInterval() {
            return this.cached.getMaxInactiveInterval();
        }

        public boolean isExpired() {
            return this.cached.isExpired();
        }

        private void flushIfRequired() {
            if (RedisSessionRepository.this.flushMode == FlushMode.IMMEDIATE) {
                this.save();
            }

        }

        private boolean hasChangedSessionId() {
            return !this.getId().equals(this.originalSessionId);
        }

        private void save() {
            this.saveChangeSessionId();
            this.saveDelta();
            if (this.isNew) {
                this.isNew = false;
            }

        }

        private void saveChangeSessionId() {
            if (this.hasChangedSessionId()) {
                if (!this.isNew) {
                    String originalSessionIdKey = RedisSessionRepository.this.getSessionKey(this.originalSessionId);
                    String sessionIdKey = RedisSessionRepository.this.getSessionKey(this.getId());
                    RedisSessionRepository.this.sessionRedisOperations.rename(originalSessionIdKey, sessionIdKey);
                }

                this.originalSessionId = this.getId();
            }

        }

        private void saveDelta() {
            if (!this.delta.isEmpty()) {
                String key = RedisSessionRepository.this.getSessionKey(this.getId());
                RedisSessionRepository.this.sessionRedisOperations.opsForHash().putAll(key, new HashMap(this.delta));
                RedisSessionRepository.this.sessionRedisOperations.expireAt(key, Date.from(Instant.ofEpochMilli(this.getLastAccessedTime().toEpochMilli()).plusSeconds(this.getMaxInactiveInterval().getSeconds())));
                this.delta.clear();
            }
        }
    }
}

在RedisSession中有两个非常重要的成员属性:

cached:实际上是一个MapSession实例,用于做本地缓存,每次在getAttribute时无需从Redis中获取,主要为了improve性能
delta:用于跟踪变化数据,做持久化

4、SessionRepositoryRequestWrapper

对于开发人员获取HttpSession的api

HttpServletRequest request = ...;
HttpSession session = request.getSession(true);

在spring session中request的实际类型SessionRepositoryRequestWrapper。调用SessionRepositoryRequestWrapper的getSession方法会触发创建spring session,而非web容器的HttpSession。

SessionRepositoryRequestWrapper用来包装原始的HttpServletRequest实现HttpSession切换至Spring Session。是透明Spring Session透明集成HttpSession的关键。

SessionRepositoryRequestWrapper继承HttpServletRequestWrapper,在构造方法中将原有的HttpServletRequest通过调用super完成对HttpServletRequestWrapper中持有的HttpServletRequest初始化赋值,然后重写和session相关的方法。这样就保证SessionRepositoryRequestWrapper的其他方法调用都是使用原有的HttpServletRequest的数据,只有session相关的是重写的逻辑。

private final class SessionRepositoryRequestWrapper extends HttpServletRequestWrapper {
        private final HttpServletResponse response;
        private S requestedSession;
        private boolean requestedSessionCached;
        private String requestedSessionId;
        private Boolean requestedSessionIdValid;
        private boolean requestedSessionInvalidated;

        private SessionRepositoryRequestWrapper(HttpServletRequest request, HttpServletResponse response) {
            super(request);
            this.response = response;
        }

        private void commitSession() {
            SessionRepositoryFilter<S>.SessionRepositoryRequestWrapper.HttpSessionWrapper wrappedSession = this.getCurrentSession();
            if (wrappedSession == null) {
                if (this.isInvalidateClientSession()) {
                    SessionRepositoryFilter.this.httpSessionIdResolver.expireSession(this, this.response);
                }
            } else {
                S session = wrappedSession.getSession();
                this.clearRequestedSessionCache();
                SessionRepositoryFilter.this.sessionRepository.save(session);
                String sessionId = session.getId();
                if (!this.isRequestedSessionIdValid() || !sessionId.equals(this.getRequestedSessionId())) {
                    SessionRepositoryFilter.this.httpSessionIdResolver.setSessionId(this, this.response, sessionId);
                }
            }

        }

        private SessionRepositoryFilter<S>.SessionRepositoryRequestWrapper.HttpSessionWrapper getCurrentSession() {
            return (SessionRepositoryFilter.SessionRepositoryRequestWrapper.HttpSessionWrapper)this.getAttribute(SessionRepositoryFilter.CURRENT_SESSION_ATTR);
        }

        private void setCurrentSession(SessionRepositoryFilter<S>.SessionRepositoryRequestWrapper.HttpSessionWrapper currentSession) {
            if (currentSession == null) {
                this.removeAttribute(SessionRepositoryFilter.CURRENT_SESSION_ATTR);
            } else {
                this.setAttribute(SessionRepositoryFilter.CURRENT_SESSION_ATTR, currentSession);
            }

        }

        public String changeSessionId() {
            HttpSession session = this.getSession(false);
            if (session == null) {
                throw new IllegalStateException("Cannot change session ID. There is no session associated with this request.");
            } else {
                return this.getCurrentSession().getSession().changeSessionId();
            }
        }

        public boolean isRequestedSessionIdValid() {
            if (this.requestedSessionIdValid == null) {
                S requestedSession = this.getRequestedSession();
                if (requestedSession != null) {
                    requestedSession.setLastAccessedTime(Instant.now());
                }

                return this.isRequestedSessionIdValid(requestedSession);
            } else {
                return this.requestedSessionIdValid;
            }
        }

        private boolean isRequestedSessionIdValid(S session) {
            if (this.requestedSessionIdValid == null) {
                this.requestedSessionIdValid = session != null;
            }

            return this.requestedSessionIdValid;
        }

        private boolean isInvalidateClientSession() {
            return this.getCurrentSession() == null && this.requestedSessionInvalidated;
        }

        public SessionRepositoryFilter<S>.SessionRepositoryRequestWrapper.HttpSessionWrapper getSession(boolean create) {
            SessionRepositoryFilter<S>.SessionRepositoryRequestWrapper.HttpSessionWrapper currentSession = this.getCurrentSession();
            if (currentSession != null) {
                return currentSession;
            } else {
                S requestedSession = this.getRequestedSession();
                if (requestedSession != null) {
                    if (this.getAttribute(SessionRepositoryFilter.INVALID_SESSION_ID_ATTR) == null) {
                        requestedSession.setLastAccessedTime(Instant.now());
                        this.requestedSessionIdValid = true;
                        currentSession = new SessionRepositoryFilter.SessionRepositoryRequestWrapper.HttpSessionWrapper(requestedSession, this.getServletContext());
                        currentSession.markNotNew();
                        this.setCurrentSession(currentSession);
                        return currentSession;
                    }
                } else {
                    if (SessionRepositoryFilter.SESSION_LOGGER.isDebugEnabled()) {
                        SessionRepositoryFilter.SESSION_LOGGER.debug("No session found by id: Caching result for getSession(false) for this HttpServletRequest.");
                    }

                    this.setAttribute(SessionRepositoryFilter.INVALID_SESSION_ID_ATTR, "true");
                }

                if (!create) {
                    return null;
                } else {
                    if (SessionRepositoryFilter.SESSION_LOGGER.isDebugEnabled()) {
                        SessionRepositoryFilter.SESSION_LOGGER.debug("A new session was created. To help you troubleshoot where the session was created we provided a StackTrace (this is not an error). You can prevent this from appearing by disabling DEBUG logging for " + SessionRepositoryFilter.SESSION_LOGGER_NAME, new RuntimeException("For debugging purposes only (not an error)"));
                    }

                    S session = SessionRepositoryFilter.this.sessionRepository.createSession();
                    session.setLastAccessedTime(Instant.now());
                    currentSession = new SessionRepositoryFilter.SessionRepositoryRequestWrapper.HttpSessionWrapper(session, this.getServletContext());
                    this.setCurrentSession(currentSession);
                    return currentSession;
                }
            }
        }

        public SessionRepositoryFilter<S>.SessionRepositoryRequestWrapper.HttpSessionWrapper getSession() {
            return this.getSession(true);
        }

        public String getRequestedSessionId() {
            if (this.requestedSessionId == null) {
                this.getRequestedSession();
            }

            return this.requestedSessionId;
        }

        public RequestDispatcher getRequestDispatcher(String path) {
            RequestDispatcher requestDispatcher = super.getRequestDispatcher(path);
            return new SessionRepositoryFilter.SessionRepositoryRequestWrapper.SessionCommittingRequestDispatcher(requestDispatcher);
        }

        private S getRequestedSession() {
            if (!this.requestedSessionCached) {
                List<String> sessionIds = SessionRepositoryFilter.this.httpSessionIdResolver.resolveSessionIds(this);
                Iterator var2 = sessionIds.iterator();

                while(var2.hasNext()) {
                    String sessionId = (String)var2.next();
                    if (this.requestedSessionId == null) {
                        this.requestedSessionId = sessionId;
                    }

                    S session = SessionRepositoryFilter.this.sessionRepository.findById(sessionId);
                    if (session != null) {
                        this.requestedSession = session;
                        this.requestedSessionId = sessionId;
                        break;
                    }
                }

                this.requestedSessionCached = true;
            }

            return this.requestedSession;
        }

        private void clearRequestedSessionCache() {
            this.requestedSessionCached = false;
            this.requestedSession = null;
            this.requestedSessionId = null;
        }

        

5、 SessionRepositoryResponseWrapper

private final class SessionRepositoryResponseWrapper extends OnCommittedResponseWrapper {
        private final SessionRepositoryFilter<S>.SessionRepositoryRequestWrapper request;

        SessionRepositoryResponseWrapper(SessionRepositoryFilter<S>.SessionRepositoryRequestWrapper request, HttpServletResponse response) {
            super(response);
            if (request == null) {
                throw new IllegalArgumentException("request cannot be null");
            } else {
                this.request = request;
            }
        }

        protected void onResponseCommitted() {
            this.request.commitSession();
        }
    }



5、 SessionRepositoryResponseWrapper 

```java
private final class SessionRepositoryResponseWrapper extends OnCommittedResponseWrapper {
        private final SessionRepositoryFilter.SessionRepositoryRequestWrapper request;

        SessionRepositoryResponseWrapper(SessionRepositoryFilter.SessionRepositoryRequestWrapper request, HttpServletResponse response) {
            super(response);
            if (request == null) {
                throw new IllegalArgumentException("request cannot be null");
            } else {
                this.request = request;
            }
        }

        protected void onResponseCommitted() {
            this.request.commitSession();
        }
    }

从注释上可以看出包装响应时为了:确保如果响应被提交session能够被保存。
第十四章 : Spring Boot 整合spring-session,使用redis共享_第7张图片

你可能感兴趣的:(Spring,Boot,系列,spring,boot,session,redis,session共享,分布式session)